Hello,
I created a windows executable which reads lines from a file and outputs to console and made Splunk run this - but I had no luck finding the results in my search. I am currently running a .bat file in my inputs.conf (which runs the .exe). I can see my script was added to the list of scripts but it does not seem to be working.
I am curious if writing to console is the right way to pass the data into Splunk. If it is where could I be wrong? Any help would be greatly appreciated!
Yes, your scripted input should write event out to the console aka
"stdout" (standard output). (Normally this is accomplised using a "print" or "echo" command, depending on your programming environment). Anything written to "stderr" (standard error) will also be stored in the _internal
index because it's assumed to be an error message.
Finding your events within splunk will depend on your settings in your inputs.conf
entry for your scripted input. Specifically the "index", "host", "source" and "sourcetype" settings will dictate where and how your events are stored by splunk. (You can always just search for a unique term that you know your scripted input will be writing out.) But I would recommend explicitly setting a source and sourcetype for your scripted input.
I would also suggest that you look in the internal index for any errors. Try the following search:
index=_internal sourcetype=splunkd ExecProcessor
This should give you a starting point as to what errors (if any) have being encountered.
Yes, your scripted input should write event out to the console aka
"stdout" (standard output). (Normally this is accomplised using a "print" or "echo" command, depending on your programming environment). Anything written to "stderr" (standard error) will also be stored in the _internal
index because it's assumed to be an error message.
Finding your events within splunk will depend on your settings in your inputs.conf
entry for your scripted input. Specifically the "index", "host", "source" and "sourcetype" settings will dictate where and how your events are stored by splunk. (You can always just search for a unique term that you know your scripted input will be writing out.) But I would recommend explicitly setting a source and sourcetype for your scripted input.
I would also suggest that you look in the internal index for any errors. Try the following search:
index=_internal sourcetype=splunkd ExecProcessor
This should give you a starting point as to what errors (if any) have being encountered.
cool cool everything good to go now
Pretty much everything that you do configure from the UI simply generates a config file entry. So you should be able to find your scripted input in one of the inputs.conf
files on your system. (Check various local
directories.) There is also something in the docs called "How config files work" (or something like that) I would recommend that you read that if your new to splunk and it's config files.
Thanks for your reply! I actually got it going now. I have another question though, is it possible to edit sourcetype and all through the inputs.conf or props.conf even though you added the script through Manager -> Data Inputs -> Scripts? The splunk documentation (http://www.splunk.com/base/Documentation/4.1.3/Admin/Setupcustom(scripted)inputs) shows you two ways to do it and my impression was that you have to work one way or the other and not get the mixed up.